Monitoring your fleets event logs - Part 2


Install Splunk - It's free!

Modify Program Files\Splunk\etc\system\local\inputs.conf

Add the lines

evt_resolve_ad_obj = 1


Then we need to reboot splunk, in Splunk click Settings, then Server controls and click Restart Splunk

Next we need to add our data source, click Add Data from the launch screen, then monitor


Choose Local Events then ForwardedEvents and click Next


Click Create a new index, call it ForwardedEvents, click Save, change the Index to ForwardedEvents and then click Review, Submit

Give it some time to collect a few logins, then go to Search & Reporting

index="forwardedevents" LogName="Microsoft-Windows-User Profile Service/Operational" (EventCode=1 OR EventCode=2 OR EventCode=6 OR EventCode=7)  | transaction ComputerName startswith=eval(EventCode=1) endswith=eval(EventCode=2) | table ComputerName, duration

So I'm using the selected data, filtering for 4 event codes, then getting the time between event code 1 and 2, and putting it into a table..

Edit: This search can be a bit funny, the delay ended up being between synching the roaming profile so I've also ran

index="forwardedevents" LogName="Microsoft-Windows-User Profile Service/Operational" (EventCode=1 OR EventCode=2 OR EventCode=6 OR EventCode=7)  | transaction ComputerName startswith=eval(EventCode=6) endswith=eval(EventCode=7) | table ComputerName, duration

Then click on the Visualization tab

This also lets you dive into each login by clicking one and get the event logs!

You can save this as a report, dashboard and share with people.


There is so much more you can do with this software, and it takes some time to learn it. Will post more as I do..



Creating Collections to deploy ConfigMgr client updates (the easy way)


Get the Servicing Exstension from Microsoft NOW as it does all the work!!!

Once you have this, in the Admin node, there's a site servicing section -> client targeting. You click 'Create Query' and it makes a nice query for your collections.


Then you go about creating your collection.

Screenshot 2015-02-05 09.39.11

click next. Select Add Rule -> Query Rule


Click Import Query Statement and choose the nice query microsoft made for you.

Screenshot 2015-02-05 09.44.29

Deploy the cumulative update to the clients.



How To: Create Automatic Deployment Rules for Patch Tuesday Software Updates


Automatic deployment of updates is one of the best features of SCCM. Automation in general is awesome.

The best way to use Automatic deployment rules (ADR) is to have them run on Patch Tuesday which is the second Tuesday of the month when Microsoft releases their updates generally before 11:00 PST/PDT (I am Australian based so I set ADRs to run Wednesday Morning).

In this example I am deploying Windows 8.1 x64 critical, security and 'updates' updates.

1. Under the Software Library Node Software Updates click Automatic Deployment Rules then select 'Create Automatic Deployment Rule' from the Ribbon


2. In the Wizard name your ADR 'ADR: Windows 8.1 x64 Updates'


3. Click Browse and select your target collection

4. Change the Option to 'Create a new Software Update Group'. The other Option should really be called 'Wipe previous updates from Software Update Group' as that's what it does.

5. Click Next.

6. Ensure 'Automatically deploy all software updates found by this rule, and approve any license agreements. Also optionally enable the Wake-on-LAN tickbox.


7. Click Next

8.  Choose Date Released or Revised, set it to Last 3 weeks.


9. Choose Product, set it to 'Windows 8.1'

10. Choose Update Classification, set it to “Critical Updates” OR “Security Updates” OR

11. Choose Title, set it to 'x64'. This is to filter out x86 updates.

12. Click Preview, if you are doing this on Patch Tuesday you will see all the applicable updates that will be deployed. Otherwise you can change the date range for the example.


13. Click Next

14. Choose 'Run the rule on a schedule.


15. Click Customize and choose to run the rule every second Tuesday at the appropriate time depending what time zone you are in. Click OK (Not to important for the demo as you can run it manually)


16. Click Next

17. Customize the Deadline to 'As soon as possible'.


18. Click Next

19. Change the User Experience to 'Display in Software Center and show all notifications'


20. Tick 'Software Installation'.

21. Click Next.

22. Click Next.

23. Click Next

24. Choose Create a new deployment package.


25. Name it 'ADR: Windows 8.1 x64 Updates' and select a UNC share for storage of the software updates.

26. Add Distribution Points.


27. Click Next.

28. Click Next

29. Select desired languages, click Next


30. Click Next, then Close.

31. Right click on your newly created ADR and click 'Run Now'. You can monitor progress on the site server checking Program FilesMicrosoft Configuration ManagerLogsruleengine.log


32. Give it some time to download updates and distribute them then on the client machine run a machine policy update and verify updates install using Software Center



33. After having a play check out this post for some best practices to setting up all your Automatic Deployment Rules including Piloting your updates to a pilot group for 7 days.

34. Also check out this post to automate sending a report out on what updates are being deployed.